diff options
Diffstat (limited to 'lib/qssl.c')
| -rw-r--r-- | lib/qssl.c | 58 |
1 files changed, 39 insertions, 19 deletions
diff --git a/lib/qssl.c b/lib/qssl.c index dd4f911d1..b8a8daeca 100644 --- a/lib/qssl.c +++ b/lib/qssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -20,12 +20,12 @@ * ***************************************************************************/ -#include "setup.h" +#include "curl_setup.h" #ifdef USE_QSOSSL + #include <qsossl.h> -#include <errno.h> -#include <string.h> + #ifdef HAVE_LIMITS_H # include <limits.h> #endif @@ -37,6 +37,7 @@ #include "sslgen.h" #include "connect.h" /* for the connect timeout */ #include "select.h" +#include "x509asn1.h" #include "curl_memory.h" /* The last #include file should be: */ #include "memdebug.h" @@ -169,13 +170,10 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) SSLHandle * h = connssl->handle; long timeout_ms; - h->exitPgm = NULL; - - if(!data->set.ssl.verifyhost) - h->exitPgm = Curl_qsossl_trap_cert; + h->exitPgm = data->set.ssl.verifypeer? NULL: Curl_qsossl_trap_cert; /* figure out how long time we should wait at maximum */ - timeout_ms = Curl_timeleft(conn, NULL, TRUE); + timeout_ms = Curl_timeleft(data, NULL, TRUE); if(timeout_ms < 0) { /* time-out, bail out, go home */ @@ -208,6 +206,8 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) break; } + h->peerCert = NULL; + h->peerCertLen = 0; rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT); switch (rc) { @@ -238,6 +238,23 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) return CURLE_SSL_CONNECT_ERROR; } + /* Verify host. */ + rc = Curl_verifyhost(conn, h->peerCert, h->peerCert + h->peerCertLen); + if(rc != CURLE_OK) + return rc; + + /* Gather certificate info. */ + if(data->set.ssl.certinfo) { + if(Curl_ssl_init_certinfo(data, 1)) + return CURLE_OUT_OF_MEMORY; + if(h->peerCert) { + rc = Curl_extract_certinfo(conn, 0, h->peerCert, + h->peerCert + h->peerCertLen); + if(rc != CURLE_OK) + return rc; + } + } + return CURLE_OK; } @@ -257,19 +274,22 @@ CURLcode Curl_qsossl_connect(struct connectdata * conn, int sockindex) if(rc == CURLE_OK) { rc = Curl_qsossl_create(conn, sockindex); - if(rc == CURLE_OK) + if(rc == CURLE_OK) { rc = Curl_qsossl_handshake(conn, sockindex); - else { - SSL_Destroy(connssl->handle); - connssl->handle = NULL; - connssl->use = FALSE; - connssl->state = ssl_connection_none; + if(rc != CURLE_OK) + SSL_Destroy(connssl->handle); } } - if (rc == CURLE_OK) { - connssl->state = ssl_connection_complete; + + if(rc == CURLE_OK) { conn->recv[sockindex] = qsossl_recv; conn->send[sockindex] = qsossl_send; + connssl->state = ssl_connection_complete; + } + else { + connssl->handle = NULL; + connssl->use = FALSE; + connssl->state = ssl_connection_none; } return rc; @@ -347,7 +367,7 @@ int Curl_qsossl_shutdown(struct connectdata * conn, int sockindex) what = Curl_socket_ready(conn->sock[sockindex], CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT); - for (;;) { + for(;;) { if(what < 0) { /* anything that gets here is fatally bad */ failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); @@ -395,7 +415,7 @@ static ssize_t qsossl_send(struct connectdata * conn, int sockindex, case SSL_ERROR_BAD_STATE: /* The operation did not complete; the same SSL I/O function - should be called again later. This is basicly an EWOULDBLOCK + should be called again later. This is basically an EWOULDBLOCK equivalent. */ *curlcode = CURLE_AGAIN; return -1; |